CWE-611— Improper Restriction of XML External Entity Reference (XXE)
1,115 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-611page 1 of 23
- CVE-2005-1306HIGHCVSS 7.5EG 7.52005-06-15
The Adobe Reader control in Adobe Reader and Acrobat 7.0 and 7.0.1 allows remote attackers to determine the existence of files via Javascript containing XML script, aka the "XML External Entity vulnerability."
- CVE-2009-1699HIGHCVSS 7.5EG 7.52009-06-10
The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, which allows remote attackers to read arbit…
- CVE-2010-3322HIGHCVSS 8.8EG 8.82010-09-14
The XML parser in Splunk 4.0.0 through 4.1.4 allows remote authenticated users to obtain sensitive information and gain privileges via an XML External Entity (XXE) attack to unknown vectors.
- CVE-2011-3600HIGHCVSS 7.5EG 7.52019-11-26
The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it c…
- CVE-2012-0037MEDIUMCVSS 6.5EG 6.52012-06-17
Redland Raptor (aka libraptor) before 2.0.7, as used by OpenOffice 3.3 and 3.4 Beta, LibreOffice before 3.4.6 and 3.5.x before 3.5.1, and other products, allows user-assisted remote attackers to read arbitrary files via a crafted XML exter…
- CVE-2012-1102HIGHCVSS 7.5EG 7.52021-07-09
It was discovered that the XML::Atom Perl module before version 0.39 did not disable external entities when parsing XML from potentially untrusted sources. This may allow attackers to gain read access to otherwise protected resources, depe…
- CVE-2012-2239CRITICALCVSS 9.1EG 9.12012-11-24
Mahara 1.4.x before 1.4.4 and 1.5.x before 1.5.3 allows remote attackers to read arbitrary files or create TCP connections via an XML external entity (XXE) injection attack, as demonstrated by reading config.php.
- CVE-2012-2656HIGHCVSS 7.5EG 7.52019-12-18
An XML eXternal Entity (XXE) issue exists in Restlet 1.1.10 in an endpoint using XML transport, which lets a remote attacker obtain sensitive information.
- CVE-2012-3489MEDIUMCVSS 6.5EG 6.52012-10-03
The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary…
- CVE-2012-5656MEDIUMCVSS 5.5EG 5.52013-01-18
The rasterization process in Inkscape before 0.48.4 allows local users to read arbitrary files via an external entity in a SVG file, aka an XML external entity (XXE) injection attack.
- CVE-2013-0340NONECVSS 0.0EG 0.02014-01-21
expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP…
- CVE-2013-1824NONECVSS 0.0EG 0.02013-09-16
The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.12 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML Exte…
- CVE-2013-1915NONECVSS 0.0EG 0.02013-04-25
ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entit…
- CVE-2013-4333CRITICALCVSS 9.1EG 9.12020-01-24
OpenPNE 3 versions 3.8.7, 3.6.11, 3.4.21.1, 3.2.7.6, 3.0.8.5 has an External Entity Injection Vulnerability
- CVE-2013-4334CRITICALCVSS 9.8EG 9.82020-02-07
opWebAPIPlugin 0.5.1, 0.4.0, and 0.1.0: XXE Vulnerabilities
- CVE-2014-0931CRITICALCVSS 9.1EG 9.12018-04-20
Multiple XML external entity (XXE) vulnerabilities in the (1) CCRC WAN Server / CM Server, (2) Perl CC/CQ integration trigger scripts, (3) CMAPI Java interface, (4) ClearCase remote client, and (5) CMI and OSLC-based ClearQuest integration…
- CVE-2014-0950HIGHCVSS 7.1EG 7.12018-04-20
Multiple XML external entity (XXE) vulnerabilities in (1) CQWeb / CM Server, (2) ClearQuest Native client, (3) ClearQuest Eclipse client, and (4) ClearQuest Eclipse Designer components in IBM Rational ClearQuest 7.1.1 through 7.1.1.9, 7.1.…
- CVE-2014-125087MEDIUMCVSS 5.5EG 5.52023-02-19
A vulnerability was found in java-xmlbuilder up to 1.1. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. Upgrading to version 1.2 is able to ad…
- CVE-2014-2052CRITICALCVSS 9.8EG 9.82020-02-11
Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
- CVE-2014-2296HIGHCVSS 8.8EG 8.82018-07-20
XML external entity (XXE) vulnerability in java/org/jasig/cas/util/SamlUtils.java in Jasig CAS server before 3.4.12.1 and 3.5.x before 3.5.2.1, when Google Accounts Integration is enabled, allows remote unauthenticated users to bypass auth…
- CVE-2014-3005CRITICALCVSS 9.8EG 9.82018-02-01
XML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21rc1, 2.0.x before 2.0.13rc1, 2.2.x before 2.2.5rc1, and 2.3.x before 2.3.2 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a cra…
- CVE-2014-3242NONECVSS 0.0EG 0.02014-05-12
SOAPpy 0.12.5 allows remote attackers to read arbitrary files via a SOAP request containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
- CVE-2014-3244CRITICALCVSS 9.8EG 9.82018-02-01
XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request.
- CVE-2014-3599MEDIUMCVSS 6.5EG 6.52019-11-12
HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy
- CVE-2014-3643HIGHCVSS 7.5EG 7.52019-12-15
jersey: XXE via parameter entities not disabled by the jersey SAX parser
- CVE-2014-3990CRITICALCVSS 9.8EG 9.82018-03-20
The Cart::getProducts method in system/library/cart.php in OpenCart 1.5.6.4 and earlier allows remote attackers to conduct server-side request forgery (SSRF) attacks or possibly conduct XML External Entity (XXE) attacks and execute arbitra…
- CVE-2014-5238HIGHCVSS 7.8EG 7.82020-01-14
XML external entity (XXE) vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev11 and 7.6.x before 7.6.0-rev9 allows remote attackers to read arbitrary files and possibly other unspecified impact via a crafted OpenDocument Text docu…
- CVE-2015-10029MEDIUMCVSS 5.5EG 5.52023-01-07
A vulnerability classified as problematic was found in kelvinmo simplexrd up to 3.1.0. This vulnerability affects unknown code of the file simplexrd/simplexrd.class.php. The manipulation leads to xml external entity reference. Upgrading to…
- CVE-2015-10082MEDIUMCVSS 5.5EG 9.82023-02-21
A vulnerability classified as problematic has been found in UIKit0 libplist 1.12. This affects the function plist_from_xml of the file src/xplist.c of the component XML Handler. The manipulation leads to xml external entity reference. The …
- CVE-2015-1809HIGHCVSS 7.5EG 7.52020-01-15
XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via an XPath query.
- CVE-2015-1811HIGHCVSS 7.5EG 7.52020-01-15
XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via a crafted XML document.
- CVE-2015-3907CRITICALCVSS 9.8EG 9.82019-07-03
CodeIgniter Rest Server (aka codeigniter-restserver) 2.7.1 allows XXE attacks.
- CVE-2015-7461MEDIUMCVSS 6.5EG 6.52018-03-20
XML external entity (XXE) vulnerability in IBM Connections 3.0.1.1 and earlier, 4.0, 4.5, and 5.0 before CR4 allows remote authenticated users to cause a denial of service (memory consumption) via crafted XML data. IBM X-Force ID: 108357.
- CVE-2015-7968MEDIUMCVSS 4.3EG 4.32020-03-09
nwbc_ext2int in SAP NetWeaver Application Server before Security Note 2183189 allows XXE attacks for local file inclusion via the sap/bc/ui2/nwbc/nwbc_ext2int/ URI.
- CVE-2015-8031CRITICALCVSS 9.8EG 9.82022-07-18
Hudson (aka org.jvnet.hudson.main:hudson-core) before 3.3.2 allows XXE attacks.
- CVE-2015-8549HIGHCVSS 7.1EG 7.12020-01-15
XML external entity (XXE) vulnerability in PyAMF before 0.8.0 allows remote attackers to cause a denial of service or read arbitrary files via a crafted Action Message Format (AMF) payload.
- CVE-2015-9280CRITICALCVSS 10.0EG 10.02019-01-16
MailEnable before 8.60 allows XXE via an XML document in the request.aspx Options parameter.
- CVE-2016-0219MEDIUMCVSS 6.5EG 6.52018-01-16
XML external entity (XXE) vulnerability in IBM Rational Team Concert 3.0 before 3.0.1.6 iFix7 Interim Fix 1, 4.0 before 4.0.7 iFix10, 5.0 before 5.0.2 iFix15, and 6.0 before 6.0.1 iFix4 allows remote authenticated users to cause a denial o…
- CVE-2016-0250MEDIUMCVSS 5.4EG 5.42018-03-12
XML external entity (XXE) vulnerability in IBM InfoSphere Information Governance Catalog 11.3 before 11.3.1.2 and 11.5 before 11.5.0.1 allows remote authenticated users to read arbitrary files or cause a denial of service via crafted XML d…
- CVE-2016-0268MEDIUMCVSS 4.3EG 4.32018-03-09
XML external entity (XXE) vulnerability in IBM Financial Transaction Manager (FTM) for ACH Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, Financial Transaction Manager (FTM) for Check Services for Multi-Platform 2.1.1.2 and…
- CVE-2016-0369LOWCVSS 2.7EG 2.72018-02-21
XML external entity (XXE) vulnerability in IBM Forms Experience Builder 8.5, 8.5.1, and 8.6 allows remote authenticated users to obtain sensitive information via crafted XML data. IBM X-Force ID: 112088.
- CVE-2016-15011MEDIUMCVSS 5.5EG 5.52023-01-06
A vulnerability classified as problematic was found in e-Contract dssp up to 1.3.1. Affected by this vulnerability is the function checkSignResponse of the file dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java.…
- CVE-2016-15026MEDIUMCVSS 5.3EG 5.32023-02-20
A vulnerability was found in 3breadt dd-plist 1.17 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. An attack has to be approached locally. Upgrad…
- CVE-2016-8526HIGHCVSS 8.8EG 8.82018-08-06
Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to an XML external entities (XXE). XXEs are a way to permit XML parsers to access storage that exist on external systems. If an unprivileged user is permitted to co…
- CVE-2016-9487HIGHCVSS 7.8EG 7.82018-07-13
EpubCheck 4.0.1 does not properly restrict resolving external entities when parsing XML in EPUB files during validation. An attacker who supplies a specially crafted EPUB file may be able to exploit this behavior to read arbitrary files, o…
- CVE-2016-9491MEDIUMCVSS 4.9EG 4.92018-07-13
ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register.do page (most likely limited to administrator), to browse the filesystem and read the system files, including Appl…
- CVE-2016-9563MEDIUMCVSS 6.5EG 9.0⚠ KEV2016-11-23
BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909.
- CVE-2017-1000477HIGHCVSS 7.5EG 7.52018-01-03
XMLBundle version 0.1.7 is vulnerable to XXE attacks which can result in denial of service attacks.
- CVE-2017-1000496HIGHCVSS 8.8EG 8.82018-01-03
Commsy version 9.0.0 is vulnerable to XXE attacks in the configuration import functionality resulting in denial of service and possibly remote execution of code.
- CVE-2017-1000497CRITICALCVSS 9.8EG 9.82018-01-03
Pepperminty-Wiki version 0.15 is vulnerable to XXE attacks in the getsvgsize function resulting in denial of service and possibly remote code execution
Map vulnerabilities like CWE-611 to your infrastructure
EchelonGraph correlates every CVE — across CWE-611 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →